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SUBJECT: Protecting User Privacy with Stationless Bicycle and Powered Scooter Data 


SFMTA staff have developed for the pilot Stationless Bicycle and Powered Scooter permit 
programs the preliminary real-time data-sharing requirements attached as Appendix A to this 
memorandum. These preliminary data-sharing requirements have been carefully drafted to 
ensure the following: 

1. The two programs will be driven by the Guiding Principles for Emerging Mobility 
Services and Technologies, adopted by both the SFMTA Board as well as the San 
Francisco Country Transportation Authority Board, and will support the SFMTA's 
Strategic Plan Goals; 

2. The two programs will produce sufficient data to enable the SFMTA to operate and 
evaluate the performance of the programs, and support the agency's planning efforts; 

3. The data sharing requirements are consistent with existing and emerging standards for 
real-time data sharing in the emerging mobility market. 

None of the data we request will contain personally identifiable information (or 
"PM"). However, we recognize that some of the data can be sensitive, and this memorandum 
describes the steps we are taking to protect the privacy and preserve the anonymity of all 
users of these programs. 
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What the Real-Time Data Sharing Requirements Contain 

We already protect user privacy through how we ask for data, and the real-time data feed 
requirements are focused around the following key areas of interest: 

• Trips. A record for each trip taken, including start/end time/location and routing, 
which will enable us to measure general travel patterns and usage of San Francisco's 
street network. 

• Status Changes. A record indicating the time/location of each device when its status 
changes (i.e., becomes reserved, available for use, unavailable for use, or removed from 
service) that will enable measuring the distribution of devices across the city over time. 

• Service Areas. A record for each geography that defines a service area, and the 
start/end dates that each area went into/out of effect. This includes types for smaller 
preferred and restricted pick-up/drop-off areas that may exist within a larger service 
area. This enables us to communicate temporary preferred/restriction zones for special 
events and/or construction and analyze how often devices were located in certain 
zones. 

None of these data feeds contain detailed user information. 1 Furthermore, this data will only 
be available to our staff in an aggregated form (e.g., maps of travel behavior throughout the 
city over a month, or statistics about the concentration of total devices in communities of 
concern). 

Protecting Sensitive Trip Data 

While raw trip data does not contain any PI I, the precise start/end points and times of a trip 
along with route information can still be considered sensitive. While we do not foresee a need 
to analyze individual trips, the records must be collected so that they can be aggregated for 
analysis to meet our needs. To safeguard this information, we are taking the following steps: 

• Minimize the amount of raw data stored. For the pilot program, we will aim to 
minimize the amount of raw data that we store by pulling data when we need it and 
immediately aggregating raw data for analysis. We will continually refine the 
aggregation process to meet our analytical needs. To this end, we require that 
permittees store data for two years so that we can re-aggregate archival data, if 
necessary. 

• Only share data in an aggregated form. We will also only make data available to the 
public in predefined aggregated formats. Requests for raw data or modifications to 
our aggregation specifications will trigger an internal Data Protection Impact 


1 The permittees will separately provide to the SFMTA aggregated membership data such as monthly unique users 
via a separate monthly report process. 
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Assessment to ensure anonymity and privacy. At a minimum, we will redact all fields 
with sensitive information - i.e., any field with time, location, and routing related to a 
user's trip - even if the data is requested via the Sunshine Ordinance. 

• Employ industry best practices for managing data. The SFMTA already stores and 
manages sensitive datasets, some of which contain Pll. We will apply the same 
rigorous accepted industry standards to data for this program that we do for all other 
sensitive datasets. 

The Stationless Bike and Powered Scooter pilot permit programs are an opportunity to test 
how these new mobility options meet San Francisco's transportation needs. We are 
committed to protecting user privacy while gathering the data we need to support these 
programs and better plan our streets. As part of the pilot evaluation, we will examine how 
well this method meets our analytical needs and use this to inform potential future programs. 
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